Change Your Password Now If It’s On This List
If you use one of these 20 passwords, change it now.
Update, May 24, 2025: This story, originally published May 23, has been updated with another list proving that it’s not just passwords that you need to change, but PIN codes as well.
It would be all too easy to assume that your password is safe enough if you don’t share it between sites and services, if you are aware of and take action to prevent phishing attacks, or if you ensure that sophisticated infostealer malware doesn’t come anywhere near your devices. But what if you were wrong? What if your password is so weak it could be cracked in less time than it takes me to type the next word? Yes, it is that quick, folks. What if automatic password hacking machines laugh in the face of your security efforts? If your password is on this newly published list, change it now or suffer the inevitable hacking consequences. You have been warned.
The Password List You Don’t Want To Be On
You really don’t want to be on any password list, and most of them are compiled by cybercriminals using infostealer malware logs. But even with the global disruption of crime-industry leaders such as the Lumma Stealer network, your biggest enemy often isn’t the shady hacker after your credentials, it’s you yourself.
Let me explain through the optics of a May 22 Huntress Security report that revealed the 20 most commonly used and therefore weakest passwords you could deploy. Look, I get it, ease of use is key, if you’ll pardon the pun, and that’s why people stick to familiar passwords that they have used for years. Passwords that they share across accounts. Passwords that are easy to type as well as recall. And that, right there, is your biggest mistake. If you do it, other people will do as well, and that’s why if your password is on this list you must change it now. No ifs or buts, no procrastinating, no I’ll do it later.
The Password List In Full
Change that password right now. Here’s the list in full:
- 123456
- 123456789
- 12345678
- password
- qwerty123
- qwerty1
- 111111
- 12345
- secret
- 123123
- 1234567890
- 1234567
- 000000
- qwerty
- abc123
- password1
- iloveyou
- 11111111
- dragon
- monkey
I will admit, even as a cybersecurity veteran and hacker of old, I was surprised to see both dragon and monkey on the list. Considering there aren’t that many proper words included, numerical strings remain the go-to for lazy password creators; they wouldn’t have been my first choices. And that’s from someone who has something of an obsession with monkeys. Every day is a school day, although you should know better than to use dictionary words, and very short dictionary words at that.
So, you know what to do: change that password now. Better still, switch to using passkeys instead, as they are way more secure and even easier to use. I would also recommend using a password manager to both create and use your passwords, as this will enable you to make strong, random and unique choices.
Take Care Of Your PIN Codes As Well As Passwords
It’s not just password lists you need to take note of; what about your PIN? Yes, the four-digit code that underpins your smartphone lock biometrics and is still required on occasion, such as when your fingerprint or face recognition doesn’t work, after an operating system update or phone reset, for example. I have just published a list of 50 PIN codes that you should never use, simply because they are so popular. They have turned up in an analysis of nearly 30 million such codes that appeared in data breach lists, with ten percent of the codes in that bunch being the same ones used over and over. If I can find that list, potential smartphone robbers, family snoopers, anyone else can find that list. If your PIN code is on it, you should change it. There’s another bunch of PIN codes that you should avoid as well, and these are the ones that can be cracked within the blink of an eye by new AI attack tools. New research found that PINs with the same digits are the worst, 5555 could be guessed in just 0.37 seconds, but also any consecutive numbers, those that are created using pairs and patterns, and, of course, anything that is or resembles a date. I could likely unlock 90% of family members smartphones, truth be told, as dates of birth seem to rule supreme.